Merge pull request #4 from Perun-Engineering/feat/registry-database

sirantd · web-flow · commit 3ae3e5556081 · 2026-02-21T18:50:40.000+10:00
feat: Add registry database
diff --git a/.releaserc.json b/.releaserc.json
@@ -0,0 +1,40 @@
+{
+    "branches": ["main", "master"],
+    "ci": false,
+    "plugins": [
+      [
+        "@semantic-release/commit-analyzer",
+        {
+          "preset": "conventionalcommits"
+        }
+      ],
+      [
+        "@semantic-release/release-notes-generator",
+        {
+          "preset": "conventionalcommits"
+        }
+      ],
+      [
+        "@semantic-release/github",
+        {
+          "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
+          "labels": false,
+          "releasedLabels": false
+        }
+      ],
+      [
+        "@semantic-release/changelog",
+        {
+          "changelogFile": "CHANGELOG.md",
+          "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
+        }
+      ],
+      [
+        "@semantic-release/git",
+        {
+          "assets": ["CHANGELOG.md"],
+          "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+        }
+      ]
+    ]
+  }
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.38.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 3.0.1 |
 
 ## Modules
 
@@ -42,14 +42,15 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | Name | Type |
 |------|------|
 | [helm_release.gitlab](https://registry.terraform.io/providers/hashicorp/helm/2.11.0/docs/resources/release) | resource |
-| [kubernetes_namespace.gitlab](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-| [kubernetes_secret.gitlab_omniauth_providers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret.gitlab_rails_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret.gitlab_registry_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret.ldap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
-| [kubernetes_secret.smtp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_namespace_v1.gitlab](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
+| [kubernetes_secret_v1.gitlab_omniauth_providers](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.gitlab_rails_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.gitlab_registry_storage](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.ldap](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.registry_postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
+| [kubernetes_secret_v1.smtp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/eks_cluster) | data source |
 | [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/region) | data source |
@@ -67,6 +68,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | <a name="input_namespace_labels"></a> [namespace\_labels](#input\_namespace\_labels) | Labels for GitLab namespace | `map(string)` | `{}` | no |
 | <a name="input_omniauth_providers"></a> [omniauth\_providers](#input\_omniauth\_providers) | OmniAuth providers | `map(string)` | `{}` | no |
 | <a name="input_redis_password"></a> [redis\_password](#input\_redis\_password) | Password to access Redis database | `string` | n/a | yes |
+| <a name="input_registry_database_password"></a> [registry\_database\_password](#input\_registry\_database\_password) | Password to access Registry PostgreSQL database | `string` | `null` | no |
 | <a name="input_release_max_history"></a> [release\_max\_history](#input\_release\_max\_history) | Maximum saved revisions per release | `number` | `10` | no |
 | <a name="input_release_name"></a> [release\_name](#input\_release\_name) | This is the name of the release which also used as a prefix or suffix for the resources | `string` | `"gitlab"` | no |
 | <a name="input_release_namespace"></a> [release\_namespace](#input\_release\_namespace) | Namespace name where you want to deploy the release. If empty, `release_name` will be used. | `string` | `""` | no |
diff --git a/examples/main.tf b/examples/main.tf
@@ -24,10 +24,11 @@ module "gitlab" {
   release_name         = "gitlab"
   gitlab_chart_version = "7.8.1"
 
-  database_password = "database_password"
-  redis_password    = "redis_password"
-  smtp_user         = "postfix"
-  smtp_password     = "smtp_password"
+  database_password          = "database_password"
+  registry_database_password = "registry_datatabase_password"
+  redis_password             = "redis_password"
+  smtp_user                  = "postfix"
+  smtp_password              = "smtp_password"
   omniauth_providers = {
     "gitlab-omniauth-saml" = local.saml_google_provider
   }
@@ -67,15 +68,16 @@ EOF
 
   values = [
     templatefile("values.yaml", {
-      database_host     = "gitlab.xxxxxxxxxxxx.eu-central-1.rds.amazonaws.com"
-      database_port     = "5432"
-      database_username = "postgres"
-      redis_host        = "master.gitlab.xxxxxx.euc1.cache.amazonaws.com"
-      redis_port        = "6379"
-      release_name      = "gitlab"
-      bucket_prefix     = local.bucket_prefix
-      domain            = "example.com"
-      smtp_address      = "smtp.gmail.com"
+      database_host              = "gitlab.xxxxxxxxxxxx.eu-central-1.rds.amazonaws.com"
+      database_port              = "5432"
+      database_username          = "postgres"
+      registry_database_username = "gitlab_registry"
+      redis_host                 = "master.gitlab.xxxxxx.euc1.cache.amazonaws.com"
+      redis_port                 = "6379"
+      release_name               = "gitlab"
+      bucket_prefix              = local.bucket_prefix
+      domain                     = "example.com"
+      smtp_address               = "smtp.gmail.com"
     })
   ]
 
diff --git a/examples/values.yaml b/examples/values.yaml
@@ -29,6 +29,12 @@ global:
     username: ${database_username}
     database: gitlab
 
+
+  # Mainly for backups, https://docs.gitlab.com/charts/charts/registry/#installation-parameters, https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1464
+  # https://gitlab.com/gitlab-org/gitlab/-/issues/532507
+  registry:
+    bucket: ${bucket_prefix}-registry
+
   redis:
     host: ${redis_host}
     port: ${redis_port}
@@ -195,6 +201,16 @@ registry:
   storage:
     secret: ${release_name}-registry-storage
     key: config
+  database:
+    enabled: true
+    sslmode: require
+    host: ${database_host}
+    port: ${database_port}
+    user: ${registry_database_username}
+    name: gitlab_registry # if empty, defaults to `registry`
+    password:
+      secret: gitlab-registry-postgresql-password
+      key: registry-postgresql-password
   redis:
     cache:
       password:
diff --git a/main.tf b/main.tf
@@ -4,14 +4,14 @@ locals {
 
 data "aws_region" "current" {}
 
-resource "kubernetes_namespace" "gitlab" {
+resource "kubernetes_namespace_v1" "gitlab" {
   metadata {
     name   = local.release_namespace
     labels = var.namespace_labels
   }
 }
 
-resource "kubernetes_secret" "postgres" {
+resource "kubernetes_secret_v1" "postgres" {
   metadata {
     name      = "${var.release_name}-postgresql-password"
     namespace = local.release_namespace
@@ -27,7 +27,25 @@ resource "kubernetes_secret" "postgres" {
   type = "Opaque"
 }
 
-resource "kubernetes_secret" "redis" {
+resource "kubernetes_secret_v1" "registry_postgres" {
+  # Optional, at this moment S3-only can be used https://docs.gitlab.com/administration/packages/container_registry_metadata_database/
+  count = var.registry_database_password != null ? 1 : 0
+  metadata {
+    name      = "${var.release_name}-registry-postgresql-password"
+    namespace = local.release_namespace
+  }
+
+  data = {
+    registry-postgresql-password = var.registry_database_password
+    #We need below if we are going to deploy PostgreSQL next to the Gitlab in the EKS
+    #not as RDS for PostgreSQL
+    registry-postgresql-postgres-password = var.registry_database_password
+  }
+
+  type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "redis" {
   metadata {
     name      = "${var.release_name}-redis-password"
     namespace = local.release_namespace
@@ -40,7 +58,7 @@ resource "kubernetes_secret" "redis" {
   type = "Opaque"
 }
 
-resource "kubernetes_secret" "smtp" {
+resource "kubernetes_secret_v1" "smtp" {
   #count = local.values.global.smtp.authentication == "false" ? 0 : 1
 
   metadata {
@@ -55,7 +73,7 @@ resource "kubernetes_secret" "smtp" {
   type = "Opaque"
 }
 
-resource "kubernetes_secret" "gitlab_rails_storage" {
+resource "kubernetes_secret_v1" "gitlab_rails_storage" {
   metadata {
     name      = "${var.release_name}-rails-storage"
     namespace = local.release_namespace
@@ -64,20 +82,20 @@ resource "kubernetes_secret" "gitlab_rails_storage" {
   data = {
     connection = <<EOF
 provider: AWS
-region: ${data.aws_region.current.name}
+region: ${data.aws_region.current.id}
 use_iam_profile: true
 EOF
     config     = <<EOF
 [default]
-bucket_location = ${data.aws_region.current.name}
+bucket_location = ${data.aws_region.current.id}
 multipart_chunk_size_mb = 128
 EOF
   }
 
   type = "Opaque"
 }
 
-resource "kubernetes_secret" "gitlab_omniauth_providers" {
+resource "kubernetes_secret_v1" "gitlab_omniauth_providers" {
   for_each = local.omniauth_providers
   metadata {
     name      = each.value
@@ -91,7 +109,7 @@ resource "kubernetes_secret" "gitlab_omniauth_providers" {
   type = "Opaque"
 }
 
-resource "kubernetes_secret" "ldap" {
+resource "kubernetes_secret_v1" "ldap" {
   count = lookup(local.values.global.appConfig, "ldap", []) == [] ? 0 : 1
   metadata {
     name      = "${var.release_name}-ldap-password"
@@ -105,7 +123,7 @@ resource "kubernetes_secret" "ldap" {
   type = "Opaque"
 }
 
-resource "kubernetes_secret" "gitlab_registry_storage" {
+resource "kubernetes_secret_v1" "gitlab_registry_storage" {
   metadata {
     name      = "${var.release_name}-registry-storage"
     namespace = local.release_namespace
@@ -115,7 +133,7 @@ resource "kubernetes_secret" "gitlab_registry_storage" {
     config = <<EOF
 s3:
   bucket: ${var.bucket_prefix}-registry
-  region: ${data.aws_region.current.name}
+  region: ${data.aws_region.current.id}
   v4auth: true
 EOF
   }
@@ -251,9 +269,9 @@ resource "helm_release" "gitlab" {
   }
 
   depends_on = [
-    kubernetes_secret.postgres,
-    kubernetes_secret.redis,
-    kubernetes_secret.gitlab_rails_storage,
+    kubernetes_secret_v1.postgres,
+    kubernetes_secret_v1.redis,
+    kubernetes_secret_v1.gitlab_rails_storage,
     module.gitlab_role
   ]
 }
diff --git a/variables.tf b/variables.tf
@@ -39,6 +39,13 @@ variable "database_password" {
   sensitive   = true
 }
 
+variable "registry_database_password" {
+  type        = string
+  description = "Password to access Registry PostgreSQL database"
+  sensitive   = true
+  default     = null
+}
+
 variable "redis_password" {
   type        = string
   description = "Password to access Redis database"
